A response to recent reporting in Germany, in service of clarity and accountability:
-
@stagerabbit @davep I think most of the banks in Sweden are at least ok in this regard. I’ve had online banking for 30 years (pre internet), and it has always been two-factor. In the beginning only pin and single-use codes, but very quickly it became smartcard-based challenge-response with pin unlock of the smartcard, so theoretically very secure.
I’ve only done hanko based banking in Japan, so I’ve never seen online banking in Japan, but that seems horrible.
-
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
@gsc You are privileged to have choices to switch to. I feel like I've already chosen the least bad options in my situation. I don't know where you live, but in many countries most banks have terrible security practices. @EarthOrgUK @jtb @ahltorp @davep @signalapp
-
@yetzt rather automatically Block any accountname with Signal & Support in it?
@signalappI *think* Signal's privacy guarantee implies Signal LLC not knowing users' display names, so they'd have no way of filtering them.
-
@tnhd @expertenkommision_cyberunfall @signalapp "such names" is quite complicated. Is it a list? A regular expression pattern? Machine-learning? I have a whack-a-mole image in my mind when I think about it. It's a bit like spam filters in general. And in the end the scammers can just try different profile names and pictures until the filter lets it pass and it still has a reasonable air of legitimity. I'm quite skeptical that it's worth the effort.
@skaphle
'Reasonable air of legitimity' is still going to be worse than 'Signal Support' and that would mean less people would be susceptible to these phishing attacks. I imagine it doesn't have to work perfectly to have less people be susceptible.
@expertenkommision_cyberunfall @signalapp -
First question that pops up:
Why the hell is anyone allowed to pose as something similar as „Signal support“?Second: How is such an organisation allowed to use a system
Like Signal? How does Signal apply to the legal needs of such Orgs? It seems that there are some serious issues here because the told features of Signal stand in contrast to legal needs (audits?), but Im no expert in this topic.@expertenkommision_cyberunfall @signalapp
You can make stuff auditable by having the conversations in a group chat that includes an "audit department" account. I think the US govt even has a forked version of the Signal client app that does something like this automatically.
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp I have left one* of the banks in question and filed complaints every single day it took to leave with all my savings. I didn't have the spoons at the time to take it up with the regulators (financial and data), but I have been director/CTO of a regulated fintech, so I am fairly confident that I could get my complaint heard if I could devote 6 months of my time...
*It's complicated.
-
@gsc You are privileged to have choices to switch to. I feel like I've already chosen the least bad options in my situation. I don't know where you live, but in many countries most banks have terrible security practices. @EarthOrgUK @jtb @ahltorp @davep @signalapp
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp let me put it this way: if i don't trust them to handle passwords properly, i would not go there and hand them all my money, alternatives or not...
-
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp I have left one* of the banks in question and filed complaints every single day it took to leave with all my savings. I didn't have the spoons at the time to take it up with the regulators (financial and data), but I have been director/CTO of a regulated fintech, so I am fairly confident that I could get my complaint heard if I could devote 6 months of my time...
*It's complicated.
@EarthOrgUK @stagerabbit @jtb @ahltorp @davep @signalapp well, that is the next (and correct) step. But i see people give up much earlier, like others wronging them, and then there are no consequences at all. Did it suck to have to switch the bank? Of course. Did i complain in written form? Multiple times. Did i loose a lot of time, which would be unnecessary, if they had done their job well? Yes, totally. But i don't regret, and more so, bad shit also happens because we let them. I'm not here to blame anyone who decides to do it differently, but stepping up is always uncomfortable, yet is worth it most of the times.
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp let me put it this way: if i don't trust them to handle passwords properly, i would not go there and hand them all my money, alternatives or not...
@gsc Really? You'd go without a bank? I don't think you've considered the implications of not being banked In a society that expects you to be banked.
This is really "well, if he'd said that to *my* mother, I would have punched him out" territory.
@EarthOrgUK @jtb @ahltorp @davep @signalapp -
@EarthOrgUK @stagerabbit @jtb @ahltorp @davep @signalapp well, that is the next (and correct) step. But i see people give up much earlier, like others wronging them, and then there are no consequences at all. Did it suck to have to switch the bank? Of course. Did i complain in written form? Multiple times. Did i loose a lot of time, which would be unnecessary, if they had done their job well? Yes, totally. But i don't regret, and more so, bad shit also happens because we let them. I'm not here to blame anyone who decides to do it differently, but stepping up is always uncomfortable, yet is worth it most of the times.
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp Just did not have the mental bandwidth at the time, but that may change.
-
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp Just did not have the mental bandwidth at the time, but that may change.
@EarthOrgUK That's also a big factor. Every couple of years I try to take some serious time and research alternatives. None yet that work for me. @gsc @jtb @ahltorp @davep @signalapp
-
@gsc Really? You'd go without a bank? I don't think you've considered the implications of not being banked In a society that expects you to be banked.
This is really "well, if he'd said that to *my* mother, I would have punched him out" territory.
@EarthOrgUK @jtb @ahltorp @davep @signalapp@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp i am not lecturing you, you have to decide if you prefer giving in to what "society expects of you" vs. giving all my money to someone you don't trust.
Society expects lots of things, my recommendation is to only fulfill those that resonate with your heart
-
Because we don’t collect user data, what we know about these attacks comes from the victims of phishing. And from what victims have told us, the attacks followed a broad pattern: after tricking people into revealing their Signal credentials, attackers then used those credentials to take over their account and also frequently changed the associated phone number. 4/
@signalapp community note: Signal collects phone numbers
-
@claudius why should technical skills like that be a requirement for people to have something to say in politics? The stakes are too high as they are now, you need to have rhetoric skills, a mindset to make it to the top and a bunch of other privileges.
We shouldn't individualize everything, it's a structural problem and there should be structural measures in place to prevent politicians from making those mistakes. It's a government we're talking about, they have the resources.
-
@claudius why should technical skills like that be a requirement for people to have something to say in politics? The stakes are too high as they are now, you need to have rhetoric skills, a mindset to make it to the top and a bunch of other privileges.
We shouldn't individualize everything, it's a structural problem and there should be structural measures in place to prevent politicians from making those mistakes. It's a government we're talking about, they have the resources.
-
R relay@relay.mycrowd.ca shared this topic
